powered by Jive Software

Openfire 3.8.1 Flash cross domain policy file is no longer being served for http-bind requests


We recently tried to upgrade one of our development servers from 3.7.2 to 3.8.1.

Our version of the 3.72 had the cors patch applied to it (http://issues.igniterealtime.org/browse/OF-342 )

What we’ve found is that the new version 3.8.1 no longer serves the cross-domain.xml policy file for BOSH requests from flash.

This means flash applications can no longer use http binding to connect to the openfire server.

We tried binding the flash cross domain handler to the http-binding using the following system properties (flash.crossdomain.enabled, flash.crossdomain.port) but that just blocked the http-bind handler from binding to that port.

Does anyone have any suggestions on how this can be fixed?

We are experiencing the same issue. I was about to create a new post but saw yours here.

I am unable to load the file: http://nighthawk:7070/crossdomain.xml (nighthawk is my machine name)

Any one have a possible fix? Flash and silverlight clients will no longer work w/ http-bind.



On our server OF 3.8.1 works flawlessly without any patch needed.

Installed sparkweb on http://mayplaces.com/imflash/ (http-bind instead socket)

you can login using any JID belong to any domain or other XMPP/Jabber server that has a S2S active.

and also please make sure the server has put crossdomain.xml on their document root eg. (/www/myweb/crossdomain.xml) which then it can be access like http://mayplaces.com/crossdomain.xml

I am not sure if this will enlighten you or not, but who knows…

Opened http://issues.igniterealtime.org/browse/OF-656 to address this issue.

Thanks Tom, when can we see version 3.8.2 released?

Very good the issue is already solved. When we can count on new version 3.8.2 to be released?

It is possible to upgrade only those parts/files which solves that issue from nightly builds? If yes, could you describe which files should be updated?

Thanks in advance! This is really crucial for our project.

You could download the 3.8.1 source, apply the diff (or just edit the HttpBindManager.java file since it’s just a one line change) and compile it.

http://fisheye.igniterealtime.org/browse/openfire/trunk/src/java/org/jivesoftwar e/openfire/http/HttpBindManager.java?r2=13593&r1=13553

This is part of openfire.jar, so can’t be parted out as a binary update.

Thanks very much David for quick replay.

I would do that, the hint is very helpfull. Fortunatelly, we were able to change our web client to not use flash layer (as that was our plan and reason for upgrade to 3.8.1 version). We wanted that patch so urgently for transition period, but it appers everything works fine now without flash, so great and I don’t need to bother with building whole Openfire with that fix. Anyway it will be probably helpfull for others.

Thanks, Mariusz


This version works really good, nice work.

Is there a way to bypass this problem without rebuilding Openfire ?

I wonder if I can modify a little Jetty’s configuration to point to this file, is it possible ?

I’d kill to get a patched openfire.deb or a patched openfire.jar to wait the version 3.8.2.


You could grab the most current nightly build - There are Debian packages for it.

http://http://bamboo.igniterealtime.org/browse/OPENFIRE-NIGHTLYDEB-789/artifact/ shared/Project-Debian-distribution-files/

Note this contains more than just the change discussed above, so you’d want to test it before just throwing it into production.

Thanks, I did that first (found the builds just after posting) to try on my Test Server.

But I did a Rollback, I wand to have a stable version.

The Solution I came up with was to install a NGinx listening to another port and

pointing to a crossdomain.xml and to a proxypass to Openfire HTTP Bindings.

This way, I use NGinx only when needed and OpenFire install is clean.